Creating an Jamf Protect Action Configuration for Splunk

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

In the macOS Security portal, use your HTTP event collectors from Splunk as data endpoints for each macOS Security data type you want to collect.

Requirements

HTTP event collectors for macOS Security data types in Splunk. For more information, see Creating HTTP Event Collectors and Tokens in Splunk.

  1. In Jamf Protect, click Actions.
  2. Click Edit on an existing action configuration or click Create Action to create a new one.
  3. For each macOS Security data type, add a new data endpoint:
    1. In Data Endpoints, click + Add.
    2. Select HTTP.
    3. In the URL field, enter one of the following:
      Splunk Enterprise
      https://your-splunk-instance:8088/services/collector/raw
      Splunk Cloud
      https://your-splunk-instance:443/services/collector/raw
    4. Click + Add HTTP Header and enter the following:
      Name
      Authorization
      Value
      Splunk <HEC Token>
    5. From Alerts, select the level of alerts want to collect.
    6. From Logs, select the data types you want to collect.
  4. (Optional) Repeat the previous step to add additional data endpoints.
  5. Click Save.

The action configuration is updated and available to add to Jamf Protect plans in the macOS Security portal.